File name: | 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe |
Full analysis: | https://app.any.run/tasks/28a70d0e-e313-4bec-af64-39869ec54ebf |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | January 10, 2025, 20:39:53 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
MD5: | 0A7F88A22AE393BE6AAF81E99911559E |
SHA1: | 618BD53DCB394611C6EE90199ABE534D40DD6958 |
SHA256: | 41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE |
SSDEEP: | 98304:8+7IIYN3A1dUKW83me3qNNW0DVU3aNkHTdvqlG9ehlzEJAuufVuVHvzULQkHYJLP:VkTb8 |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0x32b000 |
UninitializedDataSize: | - |
InitializedDataSize: | 104960 |
CodeSize: | 321024 |
LinkerVersion: | 14.24 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, 32-bit |
TimeStamp: | 2024:07:25 12:10:38+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
5864 | "C:\Users\admin\Desktop\41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe" | C:\Users\admin\Desktop\41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
5096 | "C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe" | C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe | 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
Amadey(PID) Process(5096) axplong.exe C2185.215.113.16 URLhttp://185.215.113.16/Jo89Ku7d/index.php Version4.41 Options Drop directory44111dbc49 Drop nameaxplong.exe Strings (119)lv: kernel32.dll GET && ?scr=1 4.41 ------ exe Doctor Web wb Sophos ESET Programs %-lu abcdefghijklmnopqrstuvwxyz0123456789-_ av: un: -executionpolicy remotesigned -File " Content-Type: multipart/form-data; boundary=---- \0000 Content-Type: application/x-www-form-urlencoded rundll32 44111dbc49 pc: DefaultSettings.XResolution -- ar: 2016 id: ::: Startup SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders dm: SYSTEM\ControlSet001\Services\BasicDisplay\Video cred.dll|clip.dll| " og: &unit= rundll32.exe " && ren /k Avira <d> SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 360TotalSecurity "
Content-Type: application/octet-stream os: axplong.exe SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -unicode- %USERPROFILE% zip /quiet # CurrentBuild Powershell.exe cmd DefaultSettings.YResolution Main ProductName msi SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce dll rb r= clip.dll SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ VideoID POST Content-Disposition: form-data; name="data"; filename=" 2019 /Plugins/ 2022 d1 Norton " && timeout 1 && del .jpg ps1 shutdown -s -t 0 sd: ProgramData\ e0 185.215.113.16 bi: -%lu GetNativeSystemInfo e2 Comodo ComputerName ------ st=s \App random 0123456789 Panda Security vs: shell32.dll https:// \ http:// Kaspersky Lab SOFTWARE\Microsoft\Windows\CurrentVersion\Run /Jo89Ku7d/index.php | AVG cmd /C RMDIR /s/q WinDefender "taskkill /f /im " +++ S-%lu- cred.dll AVAST Software && Exit" SOFTWARE\Microsoft\Windows NT\CurrentVersion Rem Bitdefender = e1 <c> | |||||||||||||||
4556 | "C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe" | C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe | axplong.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226505 Modules
| |||||||||||||||
3840 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | legs.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1616 | "C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe" | C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe | legs.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
1328 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4556 -s 136 | C:\Windows\SysWOW64\WerFault.exe | legs.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5268 | "C:\Users\admin\AppData\Local\Temp\1004899001\am209.exe" | C:\Users\admin\AppData\Local\Temp\1004899001\am209.exe | axplong.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2996 | "C:\Users\admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe" | C:\Users\admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe | am209.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
Amadey(PID) Process(2996) defnur.exe C2185.215.113.209 URLhttp://185.215.113.209/Fru7Nk9/index.php Version5.04 Options Drop directoryfc9e0aaab7 Drop namedefnur.exe Strings (125)lv: kernel32.dll GET && ?scr=1 00000422 ------ exe Doctor Web wb Sophos ESET Programs %-lu abcdefghijklmnopqrstuvwxyz0123456789-_ av: un: -executionpolicy remotesigned -File " Content-Type: multipart/form-data; boundary=---- \0000 Content-Type: application/x-www-form-urlencoded rundll32 pc: DefaultSettings.XResolution -- ar: 2016 id: ::: 5.04 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup dm: SYSTEM\ControlSet001\Services\BasicDisplay\Video 00000423 cred.dll|clip.dll| " og: &unit= rundll32.exe fc9e0aaab7 " && ren 00000419 defnur.exe /k Avira <d> SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 360TotalSecurity "
Content-Type: application/octet-stream os: e3 0000043f SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -unicode- %USERPROFILE% zip /quiet # CurrentBuild Powershell.exe cmd DefaultSettings.YResolution Main ProductName msi SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce dll rb r= clip.dll SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ VideoID POST Content-Disposition: form-data; name="data"; filename=" 2019 /Plugins/ 185.215.113.209 2022 d1 Norton " && timeout 1 && del .jpg ps1 shutdown -s -t 0 sd: ProgramData\ bi: -%lu GetNativeSystemInfo e2 Comodo ComputerName ------ st=s \App random 0123456789 Panda Security vs: shell32.dll https:// \ http:// Keyboard Layout\Preload Kaspersky Lab SOFTWARE\Microsoft\Windows\CurrentVersion\Run | AVG /Fru7Nk9/index.php cmd /C RMDIR /s/q WinDefender "taskkill /f /im " +++ S-%lu- cred.dll 2025 AVAST Software && Exit" SOFTWARE\Microsoft\Windows NT\CurrentVersion Rem Bitdefender = e1 <c> | |||||||||||||||
5316 | "C:\Users\admin\AppData\Local\Temp\1010910001\696969.exe" | C:\Users\admin\AppData\Local\Temp\1010910001\696969.exe | axplong.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
|
(PID) Process: | (5096) axplong.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (5096) axplong.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (5096) axplong.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2996) defnur.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2996) defnur.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2996) defnur.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (5316) 696969.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (5316) 696969.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (5316) 696969.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: |
PID | Process | Filename | Type | |
---|---|---|---|---|
1328 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_legs.exe_b69dcd31991ac936315188b4a52a885c5ebfec_fdf40bfd_e89d49c0-6286-4fc8-8731-48d80fc2740f\Report.wer | — | |
MD5:— | SHA256:— | |||
1328 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\legs.exe.4556.dmp | — | |
MD5:— | SHA256:— | |||
1348 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_696969.exe_b364b07473c6281ded8b432832f7dffc980d0_d85faf26_a2a88736-f325-4d53-a734-79623dcc16f2\Report.wer | — | |
MD5:— | SHA256:— | |||
5864 | 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe | C:\Windows\Tasks\axplong.job | binary | |
MD5:D446F281DFEBA704B5320A0013F90407 | SHA256:14BC0492B14E482FD4D09B3AEA9CE72C69916C1FC623564FDED6F2AB82936503 | |||
1328 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8F5.tmp.dmp | binary | |
MD5:10DD4789E29A610D920E179A6065F235 | SHA256:9E9E1566D184B80B11AAE2B7665637277B3E1F871C8D46CCED0CAAA79F36F818 | |||
1328 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA1F.tmp.WERInternalMetadata.xml | xml | |
MD5:36BCF3516079CB45F21B95DD9A2CA12D | SHA256:292E3D4BC617BFFE1B10F5C93C3FF37D62513377FD8C83101FB4D10DEFD543C4 | |||
5268 | am209.exe | C:\Windows\Tasks\defnur.job | binary | |
MD5:90BB6E0DD851EA0D50E416EF6D42E49C | SHA256:BE277E49A8A5307E2B5A7DD1EAFF0FCA01290A11DA223DCE17F499CB6F8874C9 | |||
1328 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA4F.tmp.xml | xml | |
MD5:42A98A39F238CBFBF8A74E30EB2A2689 | SHA256:2E3D1EE950A29A6335D59264D27032EA124CAA576B855734B8FC80977EDE6299 | |||
5864 | 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe | C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe | executable | |
MD5:0A7F88A22AE393BE6AAF81E99911559E | SHA256:41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE | |||
5096 | axplong.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\696969[1].exe | executable | |
MD5:89AD45B4A0E2D547C1E09D0A1EA94DF6 | SHA256:18F4E82898557BA7F23F5B58E181793AEE6B9EE066258CE0B8FDBA63A714C4F8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3296 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5096 | axplong.exe | POST | 200 | 185.215.113.16:80 | http://185.215.113.16/Jo89Ku7d/index.php | unknown | — | — | malicious |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3296 | svchost.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5096 | axplong.exe | POST | 200 | 185.215.113.16:80 | http://185.215.113.16/Jo89Ku7d/index.php | unknown | — | — | malicious |
5096 | axplong.exe | POST | 200 | 185.215.113.16:80 | http://185.215.113.16/Jo89Ku7d/index.php | unknown | — | — | malicious |
5096 | axplong.exe | GET | 200 | 185.215.113.16:80 | http://185.215.113.16/inc/legs.exe | unknown | — | — | malicious |
5096 | axplong.exe | GET | 200 | 185.215.113.16:80 | http://185.215.113.16/test/am209.exe | unknown | — | — | malicious |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5096 | axplong.exe | POST | 200 | 185.215.113.16:80 | http://185.215.113.16/Jo89Ku7d/index.php | unknown | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3296 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3296 | svchost.exe | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3296 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5096 | axplong.exe | 185.215.113.16:80 | — | 1337team Limited | SC | malicious |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
pancakedipyps.click |
| malicious |
nearycrepso.shop |
| malicious |
abruptyopsn.shop |
| malicious |
wholersorie.shop |
| malicious |
framekgirus.shop |
| malicious |
tirepublicerj.shop |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 33 |
— | — | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s) |
— | — | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
— | — | Misc activity | ET INFO Packed Executable Download |
— | — | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
— | — | A Network Trojan was detected | ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 |
— | — | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop) |
Process | Message |
---|---|
41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
axplong.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
axplong.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
axplong.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|